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ABSTRACT 

As required by the Computer Security Act of 1987, 
federal agencies have to identify systems that contain sensitive 
information and develop plans to safeguard them. The plamning process 
was assessed in 10 civilian agencies as well as the extent to which 
they had implemented planning controls descrit>ed in 22 selected 
plans. The National Institute of Standards and Technology 
(NIST) /National Security Agency (NSA) review of the plans was also 
assessed. Officials cited three problems relating to the design and 
implementation of the planning process: (1) the plans lacked adequate 
information to serve as management tools and some agencies already 
had planning processes in place; (2) managers had little time to 
prepare the plans? and (3) the Office of Management and Budget (OMB) 
planning guidance was sometimes unclear and misinterpreted by agency 
officials. This report provides background information on the 
computer Security Act and discussions of each of the three major 
problems identified. It concludes by recommending that NIST, NSA, and 
OMB provide guidance and technical assistance to federal agencies by 
visiting the agencies and discussing their computer security 
programs, the extent to which they have identified their sensitive 
computer systems, the quality of their security plans, and their 
unresolved internal control weaknesses. Six appendices cover the 
objectives, scope, and methodology of the reviews; the systems 
covered by the 22 plans reviewed? a composite security and privacy 
plan; NIST/NSA feedback on computer security plans? the status of 
security controls in 1,542 plans? and major contributors to the 
report. Four related publications are listed. (DB) 
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The Honorable Robert A. Roe 
Chairman, Committee on Science, 

Space, and Technology 
House of Representatives 

Dear Mr. Chairman: 

This report responds to your June 5, 1989, request and subsequent 
agreements with your office that we review the govemmentwide com- 
puter security planning and review process required by the Computer 
Security Act of 1987, The act required federal agencies to identify sys- 
tems that contain sensitive information and to develop plans to safe- 
guard them. As agreed, we assessed the (1) planning process in 10 
civilian agencies as well as the extent to which they implemented 
planned controls described in 22 selected plans and (2) National Insti- 
tute of Standards and Technology (NiST)/National Security Agency (nsa) 
review of the plans. 

This is the fifth in a series of reports on implementation of the Com- 
puter Security Act that gad has prepared for your committee. Appendix 
I details the review's objectives, scope, and methodology. Appendix II 
describes the systems covered by the 22 plans we reviewed. 

Pp«- -14.- Rri pf planning and review process implemented under the Computer 

XiCdUiLS u I orici Security Act did little to strengthen computer security govemmentwide. 

Although agency officials believe that the process heightened awareness 
of computer security, they typically described the plans as merely 
"reporting requirements'* and of limited use in addressing agency- 
specific problems. 

Officials dted three problems relating to the design and implementation 
of the planning process: (1) the plans lacked adequate information to 
serve as management tools and some agencies already had planning 
processes in place, (2) managers had little time to prepare the plans, and 
(3) the Office of Management and Budget (omb) planning guidance was 
sometimes unclear and misinterpreted by agency officials. 



Although a year has passed since the initial computer security plans 
were completed, agencies have made little progress in implementing 
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planned controls. Agency officials said that budget constraints and inad- 
equate top management support — in terms of resources and commit- 
ment — were key reasons why controls had not been implemented. 

^used on the results of the planning and review process, omb — in con- 
junction with NiST and nsa — issued draft security planning guidance in 
January 19^. The draft guidance focuses on agency security programs 
and calls for nist, nsa, and omb to visit agencies to discuss their security 
programs and problems, and provide advice and technical assistance. 
We believe that efforts directed toward assisting agencies in solving spe- 
cific problems and drawing top management attention to computer 
security issues have greater potential for improving computer security 
govemmentwide. 



Background computer security Act of 1987 (P.L. 100-235) was passed in 

'^^^ o ^ response to conrams that the security of sensitive information was not 

being adequately addressed in the federal government* The act's intent 
was to improve the security and privacy of sensitive information in fed- 
eral computer systems by establishing minimum security practices. The 
act required agencies to (1) identify all developmental and operational 
systems with sensitive information, (2) develop and submit to mst and 
NSA for advice and comment a security and privacy plan for each system 
identified, and (3) establish computer security training programs. 



OMB Bulletin 88-16, developed with nist and nsa assistance, provides gui- 
dance on the computer security plans required by the act. To be in com- 
pliance, approximately 60 civilian agencies submitted almost 1 ,600 
computer security plans to a nbt/nsa review team in early 19^. Nearly 
all of th^ plans followed, to some degree, the format and content 
requested by the bulletin. The bulletin requested that the following 
information be included in each plan: 

• Basic system identific^on: agency, sy^m name and type, whether the 
plan combines systems, operational status, system purpose, system envi- 
ronment, and point of contact 

• Information sensitivity : laws and r^ulations affecting the system, pro- 
tection requirements, and description of sensitivity. 



' The act defines sensitive information its any undBsaifled information that in the event of loss, mis- 
use, or unauthorized access or modificition, could adversely affect the national interest, conduct of • 
fedorat pR^ram, or Uieiu'ivacyUidivlduab are oititted Jo linden I974CSU5.C. 
552a). *i 
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• Security contrri status : reported as "in place," "planned," "in place and 
planned" (i.e., some aspects of the control are operational and others are 
planned), or "not applicable " and a brief description of and expected 
operational dates for controls that are reported as planned.' (Appendix 
V lists the controls.) 

Aiq)endix m presents a composite security plan that we developed for 
this import as an example of the dvUian plans we reviewed. It is repre- 
sentative of the content, format, and common omissions of the plans. 



The goals of the planning process were commendable — to strengthen 
computer security by helping agencies identify and evaluate their secur- 
ity neecte and controls for seitsitive systems. According to agency offi- 
cials, the process yiel<ted some benefits, the one most frequently cited 
being increased management awareness of computer security. Further, 
some officials noted that the planning process provided a framework for 
reviewing their systems' security controls. 

However, problems relating to the design and implementation of the 
planning process limited its impact on agency security programs. Specif- 
ically, (1) the plans lacked adequate information to serve as effective 
manag^nent tools, (2) managers had little time to prepare the plans, and 
(3) the OMB guidance was s(»netimes unclear and misinterpreted by the 
agencies. Consequently, most agency officials viewed the plans as 
reporting requirements, rather than as management tools. 



Hans Had Limited 
Impact on Agency 
Cknnputer Security 
Programs 



Plans Lacked Adequate 
Information to Serve as 
Effective Management 
Tools 



Although agency officials said that security planning is essential to the 
elective management of sensitive systems, the plans lacked important 
information that managers need in order to plan, and to monitor and 
implement plans. The plans did not include this information, in part, 
because they were designed not only to help agencies plan, but also to 
facilitate nist/nsa's review of the plans and to minimize the risks of 
unauthorized disclosure of vubterabilities. For example: 

Many |dans provided minimal descriptions (a sentence or nothing at all) 
of system sensitivity and planned security controls. Detailed 



' In tMi rqiort, i*« are the tens "ptemied controls*' to in^^ 

"pimned" or "in pUoe md ptenned" In their January 1989 pUns. Both categories Indicated that the 
oontrato wer» not ftiOy bi ptaoe. 




»8S88S4 



descriptions would have made the plans more useful in setting priorities 
for implementing planned contiY>ls. 

• The plans did not assign respon^bility for each planned control. It was 
not dear, therefore, who was accountable for implementing the control 
(e.g., who would be performing a risk assessment). 

• The plans did not include resource estimates needed to budget for 
planned actions. 

• The plans generally did not refer to computer security-related internal 
control weaknesses, although such information can be important in 
developing plans. 

Finally, ofHcials from about one-thinl of the agencies said that they 
already had more comprehensive planning pnx^ses to help them iden- 
tify and evaluate their security needs. As a result, the govemmentwide 
process was largely superfluous for these {^endes. Of^dals at such 
agendes said that their plans, which included information such as 
detailed descriptions of security controls, already met the objectives of 
the govemmentwide planning process. Many officials said that what 
they needed was assistance in areas such as network security. 



OfBdals had little time to adequately consider their security needs and 
prepare plans, further limiting the usefulness of the plans, omb Bulletin 
88-16 was issued July 6, 1988, 27 weeks before the plans were due to 
the NiOT/NSA review team, as required by the Computer Security Act. 
However, less than 14 weeks was left after most i^encies issued gui- 
dance on responding to the omb request. Within the remaining time, 
instructions were sent to the component agencies and from there to the 
managers responsible for preparing the plans, meetings were held to dis- 
cuss the plans, managers prepared the plans, and the plans were 
reviewed by component s^endes and returned to the agencies for 
review. As a result, some managers had only a few days to prepare 
plans. 



Many agency officials misinterpreted or found the guidance imdear as 
to how systems were to be combined in the plans, the deHnition of some 
key terms (e.g., "in place**), the level of expected detail, and the need to 
address telecommunications. For example^ some plans combined many 
different types of ^rstems — such as microcomputers and mainframes — 
having diverse functions and security needs, although the guidance 
spedfied that only similar systems could be combined. When dissimilar 
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systems were combined, the plan's usefulness as a management tool was 
limited. 

Further, for plans that combined systems, some agencies reported that a 
security control was in place for the entire irfan, although it was actually 
in place for only a few systems. Agency officials stated that they com- 
bined systems in accordance with their uncferstanding of the omb gui- 
dance and NBT/NSA verbal instructions. 

In addition, officials were confused about how much detail to include in 
the plans and whether to address telecommunications issues (e.g., net- 
work security). For example, they said that although the guidance asked 
for brief descriptions of systems and information sensitivity, nist/nsa 
reviewers ft^uentiy commented that plans lacked adequate descrip- 
tions. NiST offlcials said they expected that the plans would be more 
detaaed and discuss the vuhierabilities inherent in networks. They said, 
in retrospect, that it would have been helpful if the guidance had pro- 
vided examples and clarified the level of expected detail. 



Agencies Have Not 
Implemented Most 
Planned Security 
Controls 



Although a year has passed since the initial computer security plans 
were completed, agencies have made litUe prepress in implementing 
planned controls.'' The 22 plans we reviewed contained 145 planned 
security controls. According to agency oHidals, as of January 1990, 
only 38 percent of the i45 planned controls had been implemented. 

Table 1 shows the number and percentage of planned security controls 
that had been implemented as of January 1990. 



^ Only 4 pmsent of the security controb had ImpJOTCTtatlondatra 1990. 
O Pages OAO/IMTK>«M8 Govermnentwide Qmipiitw Secrrtty PUnning 

ERIC 7 



»238864 



Ikbit 1: Inifrfenmntatton of 8«cuitty 
Cofitrot«in22Ptafl9 



Sacwftycoimoi 


PtaniMd 


lmpl«fneftted 


tmptemenfd 


Assignmwt of security responsibility 


7 


7 


100 


Audit and variance ctetectfon 


7 


7 


100 


Confidenti^ty controls 


3 


3 


100 


User tttentrftcation and authentication 


2 


2 


100 


Personnel selectwn and screening 


7 


6 


86 


Security measures for support systems 


9 


5 


56 


secuniy atvareness ana iraining 
measures 


20 


12 


60 


Authorizatiwi/access controls 


4 


2 


50 


Contingency ptens 


11 


5 


45 


Data integrity and valittetion controls 


8 


2 


25 


Audit trails and maintaining journals 


12 


2 


17 


Production, input/ output controls 


8 


1 


13 


Risk/sensitivity assessment 


11 


1 


9 


S^rity specifications 


10 


0 


0 


Design review and testing 


It 


0 


0 


Certification/ accreditation 


14 


0 


0 


Software controls 


1 


0 


0 


rm\ 


145 


55 


t 



According to many agency officials, budget constraints and lack of ade- 
quate top management support — in terms of resouixes and commit- 
ment — were key reasons why security controls had not yet been 
implemented. 

Although some officials stated that the planning process has raised 
management awareness of computer security issues, this awareness has, 
for the most part, apparently not yet resulted in increased resources for 
computer security programs. A nimiber of officials said that security 
has been traditionally viewed as overhead and as a target for budget 
cuts. Some officials noted that requests for funding of contingency plan- 
ning, full-time security officers, and training for security personnel and 
managers have a low approval rate. 
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NIST/NSA Review 
Feedback Was General 
and of Linuted Use to 
Agencies 



Agency officials said that the nist/nsa review comments and recommen- 
dations on their plans were general and of limited use in addressing spe- 
cific problems. However, because the plans were designed to be brief 
and minimize the ri^ of unauthorized disclosure, they had little 
detailed information for nbt and nsa to review. Thus, the nist/nsa 
review team focused their comments on ( 1 ) the plans' conformity with 
the OMB planning guidance and (2) govermnentwide guidance (c.p. , nist 
Federal Information Processing Standards publications) relating * ) 
planned security controls. (Appendix IV provides an example of typical 
NIST/NSA review comments and recommendations.) 

Despite the linuted agency use of the feedback, nist officials said that 
the information in the plans will be useful to nist in identifying broad 
security weaknesses and needs. During the review process, the nist/nsa 
review team developed a data base that included the status of security 
controls for almost 1,600 civilian plans, net intends to use statistics 
from the data base to support an upcoming report on observations and 
lessons learned from the planning and review process. Noting that the 
data have limitations — for example, varying agency interpretations of 
"in place"~NiST officials said that areas showing the greatest percent- 
age of planned controls indicated areas where more govemmentwide 
guidance might be needed. Appendix V shows the status of seciuity con- 
trols in the civilian plans, according to our analysis of the nist/nsa data 
base.* 



Revised Guidance 
Provides for Agency 
Assistance 



The 1990 draft omb security planning guidance calls for nist, nsa, and 
OMB to provide advice and technical assistance on computer security 
issues to federal agencies as needed. Under the guidance, nist, nsa, and 
OMB would visit agencies and discuss (1) their computer security pro- 
grams, (2) the extent to which the agencies have identified their sensi- 
tive computer systems, (3) the quality of their security plans, and (4) 
their unresolved internal control weaknesses, ni^t officials said that the 
number of agencies visited in fiscal year 1991 will depend on that year's 
funding for net's Computer Security Division, which will lead net's 
effort, and the number of staff provided by nsa. 

In addition, under the 1990 draft guidance, agencies would develop 
plans for sensitive systems that are new or significantly changed, did 
not have a plan for 1989, or had 1989 plans for which net and nsa could 
not provide comments because of insufficient information. Agencies 

* MST and NSA deleted agency and system names from the data base provided to us. 
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would be required to review their (component agency plans and provide 
independent advice and comment. 



The government faces new levels of risk in information security because 
of increased use of networks and computer literacy and greater depen- 
dence on information technology overall. As a result, effective computer 
security programs are nore critical than ever in safeguarding the sys- 
tems that provide essential government services. 

The planning and feedback process was an effort to strengthen com- 
puter security by helping agencies identify and assess their sensitive 
sjnstem security needs, plans, and controls. However, the plans created 
under the process were viewed primarily as reporting requirements, and 
although the proc^ may have elevated management awareness of com- 
puter security, as yet it has done little to strengthen agency computer 
security programs. 

omb's draft planning security guidance creates the potential for more 
meaningful improvements by going beyond planning and attempting to 
address bi oader agency-specific security problems. However, although 
NiST, NSA, and omb assistance can provide an impetus for change, their 
efforts must be matched by agency management commitment and 
actions to make needed improvements. Ultimately, it is the agencies* 
responsibility to ensure that the information they use and maintain is 
adequately safeguarded and that appropriate security measures are in 
place and tested. Agency mans^ement of security is an issue we plan to 
address in our ongoing review of this important area. 



As requested, we did not obtain written agency comments on this report. 
We did, however, discuss its contents with nist, omb, and nsa officials 
and have included their comments where appropriate. We conducted our 
review between July 1989 and March 1990, in accordance with gener- 
ally accepted government auditing standards. 

As arranged with your office, unless you publicly release the contents of 
this report earlier, we plan no further distribution until 30 days after 
the date of this letter. At that time we will send copies to the appropri- 
ate House and Senate committees, m^r federal agencies, omb, nist, nsa, 
and other inter^ted partis. We will also make copies available to 
others on request. 
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Conclusions 



This report W8s prepared under the direction of Jack L. Brocic, Jr., 
Director, Government Information and Finandal Management, who can 
be reached at (202) 275-3195. Other ma^for contributors are listed in 
appendix VI. 

Sincerely yours, 
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Appendix I 

Objectives, Scope, and Methodolc^ 



In respond to a June 5, 1989, i^uest of the Chairman, House Commit- 
tee on Science, Space, and Teduwlogy, and subsequent agreements with 
his office, we assessed the impact of the computer security planning and 
review process required by the Computer Security Act of 1987. 

As agreed, we limited our review primarily to 10 civilian agencies in the 
Washington, D.C. area: the Departments of Agriculture, Commerce, 
Energy, Health and Human Services, the Interior, Labor, Transportation, 
the Treasury, and Veterans Affairs and the General Services Adminis- 
tration. As agreed, the Department of Defense was excluded from our 
review because the plans it submitted differed substantially in format 
and content from the civilian plans. 

Specifically, we 

• as^ssed the computer security planning process and nist/nsa review 
comments on the security plans developed as a result of the process, 

• determined the extent to which the 10 agencies implemented planned 
control measures reported in 22 selected plans, and 

• developed summary statistics using a nist/nsa data base covering over 
1 ,500 civilian computer security plans. 

To assess the impact of the planning and review process on agencies' 
security programs, we interviewed information resource management, 
computer security, and other officials from the 10 agencies listed above. 
In addition, we interviewed officials from nist, nsa, and omb who were 
involved in the planning process, to gain their perspectives on the bene- 
fits and problems associated with the process. 

We analyzed 22 computer security plans developed by the 10 agencies 
and the nkt/nsa review feedback relating to the plans. Most plans 
addressed groups of systems. (See app. II for a description of the sys- 
tems.) We selected the systems primarily on the basis of their sensitiv- 
ity, significance, and prior oao, President's Council on Integrity and 
Efficiency, and omb reviews. We also reviewed federal computer secur- 
ity planning and review guidance, defMutment requests for agency com- 
ponent plans, and department and agency computer security policies. 

To determine the extent to which planned computer security controls 
have been implemented, we reviewed the 22 plans and discussed with 
agency officials the status of these controls. To develop security plan 

14 
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Statistics, we used the nbt/nsa data base, which contains data on the 
status of controls for over 1,500 plans. We did not verify the status of 
the planned controls as reported to us by agency officials, the accuracy 
of the plans, or the data in ths nst/nsa data base. 
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Description of SystBms in Plans GAO Reviewed 



Ptan 



Farmers Home Administration 



Automated Field 
MarrageiTOnt System 



Provictes automated local offtce tocMs to support 2.300 offices servicing 
agricultural and rural ctevetojiOT^t loans. 



Accounting Systems 



Rrovrdes automated accounting arrd reporttng for agricultural and rural 
devetq^ment insured an6 guaranteed loans: processed 11.2 millk^n 
payments and produced more ttian 600 finance and 500 management 
reports in FY SB 



Patent and Trademark Office 



Patent and Trademark 
Automation Systems 



Provides support for the management, administratfon, and evaluation of 
information related to patent and trademark application prorossing. Systems 
inclLKle Patent Application. Locating and Monitoring; Trademark Receipts/ 
Deposit Accounts; Automated Patent System: Administrative Support: and 
Office AutOfT^tfOn. 



Social Security Administration Benefit Payment System 



Provides claims processing for retirement, survivors, disability, and 
supplemental security income payments through 1 ,350 field offices and 61 
service centers. 



Social Security Number 
Assjgnment System 



Assigns social security numt>ers through the field office network, central 
data processing facility, and data communications of Benefits Payment 
System. 



Earnings Mptntenance 
System 



Maintains an earnings history for each STCial security numt)er holder 
Information is sent by emptoyers to three data operation centers and 
foHA^arded to the National ComfXJter Center 



Access Control Event 
Processor System 



Controls employee movement through turnstiles, people traps, and secure 
areas. It also monitors fire alarm rontrol panels and activates the fire and 
evacuation systems in an emergency. 



Bureau of Labor Statistics 



Economic Statistics System 



Provides statistics on emptoyment and unemployment, prices and living 
conditions, compensation and working conditions. prcKJuctivity. economic 
groNvth and emptoyment projections, and occupational safety and health 
information. 



Emptoyment Standards 
Administration 



Federal Employees' 
Compensation System 
Level I 



Provides for tracking and recording case status information in district offices. 
It allows medical and rehabilitation bill arrd compensation payment 
infomnation to toe transfen^ed to their central facility for editing and 
catoulating voucher and report creation. 



U.S. Geological Sunday 



National Digital Cartographic 
Data Base 



Stores digitized map information for geological purposes to facilitate 
organizational requirements at the bureau, division, office, and other 
agencies. 



National Earthquake 
Information Service 



Provides earthquake information to the academrc community, the private 
sector, and government agencies. 



(continued) 
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Pten 




Federal Aviation 
Administration 


En Route and Temiinal Air 
Traffic Control System 


Provkles control to all en route aircraft in the U.S. that are operating umJer 
instrument night rules and are not under ttm control of mHit^ or omer 
facilities. 




Maintenance and Operations 
Support Systems 


Provide maintertaryce nrortftcmng and facUity and equipment suc^xmI 
throu^ Remote Maintenance Monitorirra System. Reroarch and 
Devetopment Compute Complex, ami Syst^ Support Computer Complex. 




Interfacitity Communications 
System 


Provides ground-to-air electronic interfaces to aircraft. 




Ground-to-Air Systen>s 


Provides aircraft position information, allows for discreet identification of 
aircraft, and provides the framework for data link services in U.S. aerospace. 




Weatt^er and Flight Services 
Systems 


Us^ to predict, process, and dis^nmnate weather information that will 
provide the av^tion community with near real-time data derived from a 
variety of weather senvs'^rs. 


Internal Revenue Service 


Compliance Processing 
System 


A series of programs used to ensure tf^ highest level of voluntary taxpayer 
compliance with tax laws, ba^ on research, examination of tax retums« and 
collection of tax deficienciw. 




Tax Processing System 


Provides automated support for the business areas of input processing. 
investigatHDn identification, and customer servroe. 


Customs Service 


Automated Commercial 
System 


Provides an on-line s^^counting and collection system for tracking and 
processing data and records pertaining to all cargo and merchandise 
imported into the United Stat^. 


Veterans Affairs Austin Data 
Processing Center 


Mainframe Equipment 
Configuration 


Provides programmatic data processing eu^ort. Processes approximately 
70 separate ajp^icattons and serves about %,OCX} on line users. 


General Services 
Administration 


FSS-19 Federal Supply 
System 


F^erai Supply Management System for procuring and distributing supplies 
and equipment 


Etepartment of Energy 
Strategic Petroleum 
Reserve Fhroject 
Management Office 


Mainframe Computer and PC Provides prooramnr^atic information required to manage, operate, and 
Sensitive Systems maintain the Strategic Petroleum Reserve during leacn/fiW operations. 

operational standby, ar>d drawdown and distribution operations. 
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Appendix in . 

Computer Security and Privacy Han 



We developed this composite security plan to show what most civilian 
plans contained, their format, and some common omissions. Notes in 
parenthes^ show common deviations from the omb guidance. 

Compnter Security and Privacy Plan 

1. BASIC SYSTEM IDENTIFICAnON 

Reporting Department or Agency - Department of X 

Organizational Subcomponent • Subagency Y 

Operating Organization • Organization Z 

System Name/Title • Automated Report Management System (ARMS) 

System Category 

[X] M^jor Application 

I ] General-Purpose AD? Support System 

Level of Aggregation 

IX] Single Identifiable System 
I ] Group of Similar Systems 

Operational Status 

[X] Operational 

j 1 Under I^elopment 

General DescriptJon/Porpose - The primary purpose of ARMS is to 
retrieve, create, process, store, and distribute data. ( Note: The descrip- 
tion and purpose is incomplete, omb Bulletin 88-16 required a one or two 
paragraph description of the function and purpose of the system.) 

System Environment and Special Considerations • System is con- 
trolled by a ABC series computer which is stored in the computer room. 
(Note: The environment is not adequately described. (MB Bulletin 88-16 
requested a description of system location, types of computer hardware 
and software involved, tjrpes of users served, and other special 
considerations.) 

Information Contact - Security Officer, J. Doe, 202/275-xxxx 
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2. sENsmvmr of information 

r 

General Description of Inf onnation Sensitivity 

The data ARMS maintains and uses are those required to pro'/ide a total 
management information function. (Note: This description is inade- 
quate. OMB Bulletin 88-16 requested that the plans describe, in general 
terms, the nature of the system and the need for protective measures.) 

Applicable Laws or Segnlations Affecting the System 

5 U.S.C. 552a, "Privacy Act," c. 1974. 

System Protection Bequirements 

The Protection Requirement is: 

Primary Secondary Minimal/NA 
[X]ConfidentiaUty [X] [ ] { ] 

[Xllntegrity [X] [ ] M 

[X]AvallabiUty [ ] [X] [ ] 

3. SYSTEM SECURITY MEASURES 

Risk Assessment - There currently exists no formal large-scale risk 
assessment covering ARMS. We are scheduling a formal risk analysis. 

Applicable Guidance - FIPS PUBS No. 41, Computer Security Guidelines 
for Implementing the Privacy Act of 1974; FIPS PUB No. 83, GuideUnes 
on User Authentication Techniques for Computer Network Access 
Control. 
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SECURITY MEASURES 
MANAGEMENT CONTROLS 



In place 
& 

In place Planned planned N/A 

Assignment of Security 

Responsibility (X) [ ) [ ] { ] 

Risk/Sensitivity 

Assessment [ ] [ ] [X] [ } 



A formal risk analysis program will tx used to update the current 
assessment ( Note; An «cpected operational date is not included, omb 
Bulletin 88-16 states th^ there should be expected operational dat» for 
controls that are planned or in place and planned.) 

Personnel Selection 

Screening ( ) [ ) (X) [ ) 

National Agency Check Inquiries (NACI) are required for all employees 
but have not been completed for everyone having access to sensitive 
information. Expected operational date - October 1989. 

DEVELOPMENT CONTROLS 

In place & 

In place Planned planned N/A 
Security SpecURcations (X) ( ) ( ) ( } 

Design Review & Testing [ ] [ ) { ] {X) 

Certification/ 

Accreditation [ ) {X) [ } { ] 

( Note; No information is given for certification/accreditation, omb Bulle- 
tin 88-16 states that a general description of the planned measures and 
expected operational dates should be provided.) 
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OPERATIONAL CONTSOI^S 

In place & 
In place Planned planned N/A 

Production, I/O 

Controls [X] [ ] [ ] M 

Contingency Planning [ ] |X] {] [ 1 

A contingency plan is being developed in compliance with requirements 
established by the agency's security program. Completion date - Novem- 
ber 1990. 

Audit and Variance 

Detection [ ] 11 IX] [ ] 



Day-to-day procedures are being developed for variance detection. 
Audit reviews are also being developed and will be conducted on a 
monthly basis. Completion date - June 1989. 

Software Maintenance 

Controls [X] [ ] { I I ] 

Documentation [X] [ ) [1 I ) 

SECURITY mASEHESS AND TRAINING 

InpIaceA 

In place Planned planned N/A 

Security Awareness 
and Training 

Measures [1 I 1 IX] { ] 

Training for management and users in information and application 
security will be strengthened, and security awaiene^ training provided 
for all new employees beginning in June 1989. 



ERIC 



Page 19 



21 



GAO/IirrBC«M8 OovBniiaeutwkle CowtpotCT Secority Ptonntnl 



Appaidfailll 

Compotcv Smilty cod Pfefrocy Flaii 



TECHNICAL CONTROLS 



User Identifkatloii 
and AuUientlcfttioii 

Anthorizatioii/ 
Access Controls 

Data Integrity 
& Validation 
Controls 

Audit Trails 
& Joumaling 



Inplace& 

In ^ace Planned planned 



IXl 

(Xl 
IX) 



1 1 
( 1 

I 1 
I } 



[ ) 
[ ] 

I 1 
( ) 



SUPPORT SiSTEM SECURITY MEASURES 

In place & 

In place Planned planned 

Security Measures 

for Support Systems [X] [ ] [ ] 

4. NEEDS AND ADDITIONAL COMMENTS 



N/A 

I ] 

I 1 

1 ] 
1 ) 

N/A 
( ) 



(Note: This section was left blank in most plans, omb Bulletin 88-16 
stated that the purpose of this section was to give s^ency planners the 
opportunity to include comments concerning needs for additional gui- 
dance, standards, or other tools to improve system protection.) 
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The following example shows typical nist/nsa comments and 
recomniendati(ms. 

COMPUTER SECUKITY PLAN REVIEW PROJECT COMMENTS 
AND RECOMMENDATIONS 

REF.NO.OOOl 

AGENCY NAME: Department of X, Sub^ency Y 

SYSTEM NAME: Automated Report Management System 

The brevity of information in the information sensitivity, gene- al sys- 
tem description, and the system environment sections made it difficult 
to understand the security needs of the system. Information on the 
physical, operational, and technical environment and the nature of the 
sensitivity is essential to understanding the security needs of the 
system. 

For some controls, such as security training and awareness, expected 
operational dates are not indicated as required by omb Bulletin 88-16. 

The plan refers to the development control, design review and testing, 
as not applicable. Even in an operational system, development controls 
should be addressed as historical security measures and as ongoing mea- 
sures for changing hardi^^re and software. 

The plan notes that a more formal risk assessment is being planned. This 
effort should help your organization more effectively manage risks and 
security resources. National Institute of Standards and Technology Fed- 
eral Information Processing Standards Publication 65, "Guideline for 
Automatic Data Processing Risk Analysis," and 73, "Guideline for the 
Security of Computer Applications" may be of help in this area. 
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Status of Security Controls in 1,542 Plans 



Security eontrolt n 


Mponiti* 


rnptac* 




Ptmnttf 




A^^ment of secunty 


1.448 


91 


5 


4 


PersonTOl wtectton and 
screening 


1.268 


84 


11 


5 


Risk ana^s and sensitivity 
ass^rasfHOTt 


1,321 


71 


13 


17 


DsvolopfMiit contffofa 


Oes^ review trating 


728 


82 


10 


8 


Certificatbn and accreditation 


948 


66 


10 


24 


S^uirity and acqufsiti<»i 
$pedficatk>n8 


1.093 


83 


10 


7 


Op#rstionvl coi^bote 


Aucttt and variance detection 


1.177 


81 


7 


12 


Docurrantetion 


1.375 


83 


10 


8 


Emergency, backup, and 
contingency fining 


1.381 


69 


14 


17 


PhysicaJ ar>d environmental 
protection 


450 


87 


10 


4 


Production and input/output 
amtrote 


1.290 


87 


7 


7 


Sottwar<^ maintenam^ 
controls 


1.327 


87 


7 


7 


Oecuifty tfrtnlfiQ •iKf 
iwaitntss mMewM 


1.408 


58 


27 


15 


Ttdmleal Mfitroto 


Auth(^i2atrc^/acce9s controls 


1,389 


87 


6 


7 


Confidentiality controls 


357 


84 


7 


9 


Audit trail mechanisms 


1.194 


83 


8 


9 


Integrity cc^trcrfs 


1,220 


85 


8 


7 


User identification and 
autfmtication 


1.370 


87 


7 


6 




• 


81 


10 


10 



Note: Tha static of saeurity rantroto is basad on infcmwttonreportad m 1,542 civit^ ptens in earfy 1989 

a/^ o^nained In the N^/^^ CAM bm. MMr^ 

percentages. Some psfc^n^et do not «M to 100 to rounding. 

'"Plan respond" is tt^ number of ptans. out erf 1,542, ttat addressed each control. 
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Appencflx VI . 
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^barol J. James, Evaluator 
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Related GAO Products 



Computer Security; Identificaaon of Sensitive Systems Operated on 
Behalf of Ten Agencies (gao/imte£>80-70, Sept. 27, 19^). 

Ck)mputer Security Ck)mpliance With Security Plan Requirements of the 
Computer Security Act (gao/imtec«»^, June 21, 19^). 

Computer Security: Compliance With Training Requirements of the 
Computer Security Act of 1987 (GAO/iMTBQ«9-t6BB, Feb. 22, 1989). 

Computer Security: Status of Compliance With the Computer Security 
Act of 1987 (OAO/iMTEJCWiBR, Sept. 22, 1988). 
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